Nowadays, a banner pops up immediately on almost every website asking us to accept or refuse cookies, or simply to inform us that cookies are being used before we can browse the website.
Do I need to have a cookie banner on my website?
In the case of Switzerland, this question can be answered by taking a look at the Telecommunications Act (TCA). This states, in Art. 45c TCA, that “processing of data on external equipment by means of transmission using telecommunications techniques is permitted only […] if users are informed about the processing and its purpose and are informed that they may refuse to allow processing.”
Accordingly, in principle, the use of cookies and other technologies in Switzerland does not require consent, as long as the user does not assert their right of refusal or the relevant website uses methods that do not involve personal data. According to Swiss law, it’s sufficient to provide information on processing and the right of refusal.
Update for Google products in Switzerland
As of 31 July 2024, Google is expanding its EU User Consent Policy to Switzerland. Website operators who target the Swiss public and use Google products like Google Analytics or Google Ads must now also comply with this policy. Otherwise, these Google products may not be usable or their use may be subject to limitations.
The Google policy requires the consent of the website visitor in the following cases:
-
Consent to cookies and local data storage: In Switzerland, consent to the use of cookies and other local data storage on the user’s device is generally not required, as it is not prescribed by law (see this blog post).
-
Consent to the use of personal data for personalized advertising: The Google policy requires users to consent to the use of personalized advertising (e.g., through Google Ads). Whether consent is required depends on the specific use of the products. The policy also states that there is no need to send confirmation of such consent to Google.
-
Consent to publisher products: The use of publisher products (like Google AdSense, Ad Manager, or AdMob) requires consent, which must be sent to Google using Consent Mode or the IAB Transparency & Consent Framework (TCF).
More information is available from Google here.
However, it is also conceivable that information about the processing and its purpose or the right of refusal does not even have to be provided. After all, the obligation set out in the Telecommunications Act only exists in those circumstances in which the following prerequisites are met:
- Personal data is processed under the control of the data processor (website operator). This does not include the processing of anonymous data, e.g. when cookies are used to save user settings where no personal reference can be established.
- The data processor uses a device that cannot be assigned to them for data processing. This is the case, for instance, when they save a cookie on the website visitor’s device.
- The device is used by the person whose personal data is being processed.
- Data processing must aim to give the data processor (or a third party) access to the user’s personal data.
- Processing must take place by means of transmission using telecommunications techniques and the processing and/or transmission may not take place at the user’s initiative.
At this juncture, it’s also worth noting the following point: Art. 45c TCA is technology neutral. This means its provisions must be complied with not only when cookies are in use, but are applicable irrespective of whether cookies or other comparable technologies are used. What matters is whether the above conditions are fulfilled or not.
What changes with the new Swiss Federal Act on Data Protection?
In short: with regard to cookie banners, nothing. They are also not required under the new Swiss legislation.
The revised Federal Act on Data Protection (FADP) entering into force on September 1, 2023 sets out a new provision in Art. 7(3) whereby the controller (website operator) must also ensure through pre-defined settings that the processing of the personal data is limited to the minimum required by the purpose, unless the data subject directs otherwise. In some places, this stipulation is interpreted as an obligation to use cookie banners. However, in the view of VISCHER's legal experts, this is not correct: the controller can provide the user with several cookie and data-protection options. If they offer such options to choose from and the cookies contain personal data, then – and only then – must the pre-defined setting provide for the least extensive setting on the basis of the new provision. However, if the website does not offer the option to choose, then logically no pre-defined settings are needed.
The new law therefore changes nothing in this area: from September 2023, there is no obligation for websites aimed at users in Switzerland to have cookie banners. Incidentally, there is also no obligation that a box on a consent banner may not already be pre-checked.
When processing personal data (e.g. using cookies or other technologies), the provisions of the Federal Act on Data Protection, as well as the Telecommunications Act, must be observed. Assessing the lawfulness of data processing and the necessity of consent may also be required in the event that data is disclosed to third parties or abroad, or in the event of particularly extensive tracking.
In a previous Hostpoint blog post, the VISCHER law firm described what to look out for in the new Federal Act on Data Protection. Read the post “The new Data Protection Act will take effect in 2023. What you need to know”
What do I need to do now as a website operator?
As we’ve mentioned, a cookie banner is generally not required – neither to obtain consent or inform users about the use of cookies.
If cookies or other technologies are used, processing and the purposes of processing must be referred to in the privacy policy available on the website. In addition, the privacy policy must indicate that users can refuse processing by changing their own browser settings.
A more user-friendly method of refusal can also be integrated into the site if no settings options are provided. Otherwise, these would have to provide the least extensive setting when visiting the website.
Find out more:
In a previous post on the Hostpoint blog, the law firm VISCHER put together some important and helpful tips for drafting a privacy policy for your own website. Read the post “How to write a good privacy policy for your website”.
European law
However, caution is advised. Although cookie banners are not legally required for websites in Switzerland under Swiss law, there’s a (rather considerable) catch:
Swiss companies and website operators may be obliged under European law to use cookie banners and obtain consent. If a website is aimed at EU member states, the ePrivacy Directive or its national implementing legislation may apply. The ePrivacy Directive states that the storage of information or access to information that is already stored on a user’s device is only permitted after clear and informed consent, unless it involves data that is technically required to provide the desired service in the first place. According to EU law, unlike Swiss legislation, prior consent is required to obtain and process information. This consent can be obtained via a cookie banner, for instance.
Like the Swiss Telecommunications Act, the ePrivacy Directive is also technology-neutral and applies irrespective of whether cookies are stored or other technologies (such as what is known as “fingerprinting”) are used to access information on the device. It therefore depends on the precise design of the technology in each case, not on what the technology is called. If a “cookieless” method is used, you should not automatically draw the conclusion that consent is not required. According to the ePrivacy Directive, what matters is whether information is stored on the device or stored information is accessed. In the latter case, the widespread (but not undisputed) view is that it must still be decided whether only information is processed that the browser sends to the server anyway (known as “header information”) or whether further information is actively accessed. According to the ePrivacy Directive, consent is usually not required for processing information that is sent additionally by the browser.
If websites are used to sell products in the EEA, cookie banners are required in certain cases according to the ePrivacy Directive and GDPR.
Now it gets really interesting: if a Swiss company (using its website, for instance) offers goods or services in the European Economic Area (EEA) or tracks the behavior of individuals in the EEA, they may be required to consider the provisions of the European General Data Protection Regulation (GDPR) in addition to the ePrivacy Directive. The GPDR applies not only in the EU, but in the entire EEA (including Liechtenstein, for instance). It is only applicable if a personal reference can be established. In the view of many EEA data protection authorities, however, this already exists if individual users can be specified with the allocation of identification numbers. If technologies are used to track users over multiple visits and then create a profile for marketing purposes, many EEA data protection specialists believe that consent is required as a basis, even if the visitors cannot be identified.
A website operator is therefore well-advised always to check whether the ePrivacy Directive or GDPR are actually applicable in the first instance. If this is the case, consent is generally required by means of a cookie banner when using cookies. With a “cookieless” method, the exact design may require closer examination. To minimize potential risks, it may therefore make sense to obtain consent for the sake of simplicity. Work on the ePrivacy Regulation is currently underway in the EU. This may entail further new developments in future.
About the authors:
This post was written by two legal experts, Lucian Hunger (attorney) and Alisa Winter (junior associate) at the VISCHER law firm, and was contributed as a guest post to the Hostpoint blog.